# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved## This file may contain proprietary rules that were created, tested and# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as# rules that were created by Sourcefire and other third parties and# distributed under the GNU General Public License (the "GPL Rules").  The# VRT Certified Rules contained in this file are the property of# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.# The GPL Rules created by Sourcefire, Inc. are the property of# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights# Reserved.  All other GPL Rules are owned and copyrighted by their# respective owners (please see www.snort.org/contributors for a list of# owners and their respective copyrights).  In order to determine what# rules are VRT Certified Rules or GPL Rules, please refer to the VRT# Certified Rules License Agreement.### $Id: deleted.rules,v 1.37.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $#-------------# DELETED RULES#-------------# These signatures have been deleted for various reasons, but we are keeping# them here for historical purposes.# Duplicate to 332alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0 attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:325; rev:4;)# Duplicate of 512alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:511; rev:5;)# Duplicate of 514alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flow:established; content:"GET "; depth:8; nocase; reference:arachnids,460; classtype:bad-unknown; sid:506; rev:4;)# Duplicate of 557alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;)# Duplicate of 559alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:6;)# Duplicate of 844alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat access"; flow:to_server,established; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; sid:1121; rev:5;)# Yeah, so the one site that was vulnerable to edit.pl aint no more.# http://packetstorm.widexs.nl/new-exploits/freestats-cgi.txtalert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access"; flow:to_server,established; uricontent:"/edit.pl"; nocase; reference:bugtraq,2713; classtype:attempted-recon; sid:855; rev:6;)# duplicate of 987alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .htr request"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,4474; reference:cve,2002-0071; reference:nessus,10932; classtype:web-application-activity; sid:1619; rev:8;)# webmasters suck, so this happens ever so often.  Its really not that bad,# so lets disable it.alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC prefix-get //"; flow:to_server,established; uricontent:"get //"; nocase; classtype:attempted-recon; sid:1114; rev:6;)# dup of 1660alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .NET trace.axd access"; flow:to_server,established; uricontent:"/traace.axd"; nocase; classtype:web-application-attack; sid:1749; rev:4;)# dupalert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet ../../ DOS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/../../../../../../../../../../../"; reference:bugtraq,2282; reference:cve,2001-0252; classtype:web-application-attack; sid:1049; rev:11;)# Falses WAAAYYY too often.alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; flow:from_server,established; content:"Directory of"; nocase; classtype:unknown; sid:496; rev:8;)# Replaced with 1801,1802,1803,1804alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1768; rev:7;)# duplicate of sid:1673alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:1698; rev:4;)# Port based only sigs suck, this is why stream4 has flow logsalert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flow:established; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:5;)# basically duplicate of 330alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:8;)# duplicate of 1478alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc attempt"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1477; rev:5;)# duplicate of 1248alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>258; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-attack; sid:1246; rev:14;)# duplicate of 1249alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>259; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:11;)# duplicate of 1755alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1780; rev:9;)# duplicate of 1538alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:12;)# This rule looks for the exploit for w3-msql, but very badly